pix三接口配置

拓扑

pix三接口配置_第1张图片

R1

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#ip address 13.0.1.2 255.255.255.0
R1(config-if)#no sh
R1(config-if)#
*Mar  1 00:01:44.059: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:01:45.059: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#int f1/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#
*Mar  1 00:02:43.835: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar  1 00:02:44.835: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R1(config-if)#end
R1#
*Mar  1 00:02:52.999: %SYS-5-CONFIG_I: Configured from console by console

//测试
R1#telnet 15.0.1.2
Trying 15.0.1.2 ...
% Destination unreachable; gateway or host down
//

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip route 15.0.1.0 255.255.255.0 13.0.1.1
R1(config)#ip route 14.0.1.0 255.255.255.0 13.0.1.1
R1(config)#ip route 16.0.1.0 255.255.255.0 13.0.1.1
R1(config)#end
R1#telnet 15.0.1.2
*Mar  1 00:08:50.839: %SYS-5-CONFIG_I: Configured from console by console
R1#telnet 15.0.1.2
Trying 15.0.1.2 ...
% Connection timed out; remote host not responding

R1#telnet 15.0.1.2
Trying 15.0.1.2 ... Open

User Access Verification

Password:
R3>exit

[Connection to 15.0.1.2 closed by foreign host]

R2

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int f0/0
R2(config-if)#ip address 14.0.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#
*Mar  1 00:03:22.447: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:03:23.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#int f1/0
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no sh
R2(config-if)#
*Mar  1 00:03:48.779: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar  1 00:03:49.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R2(config-if)#end
R2#
*Mar  1 00:03:56.151: %SYS-5-CONFIG_I: Configured from console by console
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

//这里将192.168.2.0网段的两台pc静态nat转换到14.0.1.0网段
R2(config)#int f0/0
R2(config-if)#ip nat outside
R2(config-if)#int
*Mar  1 01:24:40.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R2(config-if)#int f1/0
R2(config-if)#ip nat inside
R2(config-if)#exit
R2(config)#ip nat outside source static 192.168.2.2 14.0.1.3
R2(config)#ip nat outside source static 192.168.2.3 14.0.1.4
//路由
R2(config)#ip route 13.0.1.0 255.255.255.0 14.0.1.1
R2(config)#end

R3

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#int f0/0
R3(config-if)#ip address 15.0.1.2 255.255.255.0
R3(config-if)#no sh
R3(config-if)#int f1/0
*Mar  1 00:04:19.427: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:04:20.427: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#int f1/0
R3(config-if)#ip address 16.0.1.1 255.255.255.0
R3(config-if)#no sh
R3(config-if)#
*Mar  1 00:04:37.531: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar  1 00:04:38.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R3(config-if)#exit
R3(config)#line vty 0 4
R3(config-line)#password zwish
R3(config-line)#end
R3#
*Mar  1 00:05:00.915: %SYS-5-CONFIG_I: Configured from console by console
//接R1的测试,再配置下面的
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#ip route 13.0.1.0 255.255.255.0 15.0.1.1
R3(config)#ip route 192.168.1.0 255.255.255.0 15.0.1.1

PIX

pixfirewall# conf t
pixfirewall(config)# int e0
pixfirewall(config-if)# ip address 13.0.1.1 255.255.255.0
pixfirewall(config-if)# no sh
pixfirewall(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
pixfirewall(config-if)# security-level 100
pixfirewall(config-if)# int e1
pixfirewall(config-if)# ip address 14.0.1.1 255.255.255.0
pixfirewall(config-if)# no sh
pixfirewall(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
pixfirewall(config-if)# security-level 50
pixfirewall(config-if)# int e2
pixfirewall(config-if)# ip address 15.0.1.1 255.255.255.0
pixfirewall(config-if)# no sh
pixfirewall(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
pixfirewall(config-if)# end
pixfirewall# show int ip b
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  13.0.1.1        YES manual up                    up
Ethernet1                  14.0.1.1        YES manual up                    up
Ethernet2                  15.0.1.1        YES manual up                    up
Ethernet3                  unassigned      YES unset  administratively down down
Ethernet4                  unassigned      YES unset  administratively down down
pixfirewall#

//下面接着配置ping,这里我搜了许久,还是只搜到any any这一种能真正实现ping,指定主机或者网段的扩展访问列表设置了之后发现不生效)

pixfirewall(config)# nat (inside) 1 13.0.1.0 255.255.255.0
pixfirewall(config)# global (outside) 1 15.0.1.3-15.0.1.6 netmask 255.255.255.0
pixfirewall(config)# show nat

NAT policies on Interface inside:
  match ip inside 13.0.1.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 13.0.1.0 255.255.255.0 dmz any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 5, untranslate_hits = 0
  match ip inside 13.0.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (15.0.1.3 - 15.0.1.6)
    translate_hits = 25, untranslate_hits = 30
pixfirewall(config)# access-list test1 permit icmp any any
pixfirewall(config)# access-group test1 in int outside

//发布dmz区中的服务器14.0.1.2的telnet服务到公网ip 15.0.1.7
pixfirewall(config)# static (dmz,outside) 15.0.1.7 14.0.1.2
pixfirewall(config)# access-list test1 extended permit tcp any host 15.0.1.7 eq telnet
//发布dmz区中的14.0.1.3的www服务到公网15.0.1.8
pixfirewall(config)# static (dmz,outside) 15.0.1.8 14.0.1.3
pixfirewall(config)# access-list test1 extended permit tcp any host 15.0.1.8 eq www
//端口映射
pixfirewall(config)# static (dmz,outside) 15.0.1.9 110 14.0.1.4 110


//路由,这里就是192.168.1.0和16.0.1.0里的主机 ping时需要用到
pixfirewall(config)# route inside 192.168.1.0 255.255.255.0 13.0.1.2
pixfirewall(config)# route outside 16.0.1.0 255.255.255.0 15.0.1.2

测试截图:

R3 telnet DMZ里的14.0.1.2

pix三接口配置_第2张图片

ping:

pix三接口配置_第3张图片
更新:上面的any any问题解决了,之前还是没有理解好acces-list

假如我们inside里有一台主机192.168.1.2 ;outside里有一台主机13.0.1.2;想要让前者ping通后者

就需要给192.168.1.2设置一个全局地址,并且在outside接口允许icmp的echo-reply包通过

static (inside,outside) 192.168.1.2 13.0.1.3
access-list test1 permit icmp host 13.0.1.2 host 13.0.1.3 echo-reply
access-group test1 in int outside

你可能感兴趣的:(cisco交换机,路由器和防火墙)